As quantum computing draws near, cryptography security concerns grow

Quantum computing has just made a great leap forward, but there are dark clouds on the horizon. The new leap forward has dizzying security implications for the whole tech ecosystem. In this article, Dan Timpson asks if we should start the doomsday clock.

We now have the first proof of quantum computing’s superiority. When comparing the processing power of quantum and classic circuits, researchers at the Technical University of Munich conclusively demonstrated that quantum computers can solve problems faster and more effectively. This milestone marks not just an auspicious beginning, but a very ominous one too.

IBM, Google, and Boeing are already making massive investments into quantum computing. In fact, according to Gartner, 20 percent of all companies will be investing in this area within the next five years.

This means great things for technology; there’s a reason they call it a quantum leap! But sooner or later, it’s going to be used by people with bad intentions with devastating effects.

LIVING IN A POST-CONTAINER WORLD
Free: Brand new Serverless Architecture Whitepaper

Stay on top of the latest trends with the help of our Serverless Architecture Whitepaper. Get deep insights on serverless platforms, cloud-native architecture, cloud services, the Kubernetes ecosystem (Knative, Istio etc.) and much more!

Why worry about quantum computing?

Classical computing uses memory composed of bits, which are capable of generating 1s or 0s. A quantum computer uses qubits, which can be composed of 1s, 0s or multiple values at the same time. That capability allows us to solve multiple problems concurrently, freeing us from the binary constraints of classical computing. Quantum computing promises to change the face of computing as we currently know it.

Much of the worry about quantum computing comes from the simple fact that it can defeat much of modern encryption. In fact, the U.S. National Institute of Standards and Technology (NIST) believes that quantum computing will break the most of the near-ubiquitous encryption protocols like RSA and Elliptic Curve public key cryptography that underpin so much of the modern internet. 128-bit encryption, for example, is used by governments, enterprises and home users alike. It is estimated that it will quickly buckle under the force of quantum.

Of course, nation states are likely to be the first to attain and use this kind of technology to catastrophic consequences. US Congressman Will Hurd, Chair of the Information Technology Subcommittee of the Committee on Oversight and Government Reform, characterized the shockwave that quantum would send in international relations in Wired last year. He said, “In the same way that atomic weaponry symbolized power throughout the Cold War, quantum capability is likely to define hegemony in today’s increasingly digital, interconnected global economy.”

Quantum computing could be commercially available in as little as 10 years. When hackers do get a hold of this technology, there will be trouble. That said, security adoption cycles can be slow – take a look at Heartbleed, for example. Organizations must start preparing now to face the new landscape that quantum computing will bring about.

Putting up the barricades

The implications are profound for everyone from governments to the enterprise to the home user. Many organizations are developing quantum-resistant algorithms and public key cryptography to combat this future threat. NIST is already working on a cryptography standard for the post-quantum world. Unfortunately, cryptographic transformation is often slow. The decade it took to adopt Elliptic Curve is just such an example.

However effective these countermeasures might be, enterprises shouldn’t wait around for them. The first step towards quantum-resistance will be to identify your own encryption systems and assess whether they can stand up to that threat. While quantum will be able to break 128-bit encryption keys, it will not be able to the do the same for longer versions. AES-256 or SHA-512 are good choices to replace your quantum vulnerable keys.

Hash-based signatures also go a long way to resisting quantum-based attacks, even if they can only sign a finite number of things. NIST is expected to standardize hash based signatures next year, so it makes sense to get ahead of the curve here anyway.

Most of all, customers should be leaning on their providers to prepare for the arrival of quantum and to include Public Key Infrastructure in their developments.

The industry is already hard at work developing quantum-resistant tools, the first of which are already available. Blackberry, for example, has recently publicly launched quantum-resistant security tools. Their offerings include a code signing server which will allow software to be made resistant to quantum attacks.

Start preparing now

Any and every technological development brings with it these kinds of concerns. IoT, for example, has a plethora of legitimate uses and in many cases will be able to save lives in greater numbers due to those developments. However, our early experiences of such technology have also led to its illicit abuse, including the construction of vast and destructive DDoS botnets. Technology is ultimately an amoral, neutrally-charged tool that depends upon the intentions of the user to be helpful or harmful. If one side of the law is interested, you can be sure that the other is too.

Quantum powered hackers are not here yet, but we can now see their outline on the horizon. There is still time to prepare before it docks. Still, we should be sure to prepare for that day because when it arrives, everything is going to change.

Be the first to share this article with your network!

Author

Dan Timpson

Dan Timpson was promoted to Chief Technology Officer for DigiCert in January 2015 after serving as their VP of Technology for two years. As CTO, Timpson is responsible for DigiCert’s technology strategy and plays a key role in leading the security industry by driving new initiatives. At DigiCert, Timpson’s team is constantly working to simplify certificate management for DigiCert customers and strengthen the security of DigiCert’s products against evolving threats. Additionally, Timpson contributes strategic oversight and program management to DigiCert’s products and features.

Prior to joining DigiCert, Timpson worked for Microsoft Corporation, where he managed a Security Development Lifecycle (SDL) team to evaluate the security of Microsoft software. Before that, Timpson managed a team at Novell that tested identity and access management systems and their underlying PKI framework. Timpson has a BS in Computer Science & Information Technology and an MBA from Westminster College.